3

Pretty much I want to be able to use multiple SSH keys on the same server for different users. I have a server that I use for both webhosting and as an SSH tunnel. I have set up an account that has no login shell specifically for SSH tunneling. I use the root user to manage the rest of the system.

I have two SSH keys, one with a password for the root user, and one without a password for the SSH tunnel. How do I make it so when I connect as the tunnel user, it uses the tunnel key and when I connect as the root user, it uses the root key?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Richard Hum
  • 651
  • 2
  • 6
  • 14

1 Answers1

4

If you have one key set up for your root user, the other one for your tunnel user (via file authorized_keys on the server/remote machine), the right key shall be picked automatically.

This is based on the assumption that you loaded the keys in ssh-agent and they are available to the ssh utility.

Otherwise, you can manually specify the key with ssh -i <identity file>.

Besides that, you can set up aliases in your ssh_config file (~/.ssh/config or /etc/ssh/ssh_config):

Host server-root
User root
IdentityFile <path to your key>
Hostname <real hostname>

Host server-tunnel
User tunnel-user
IdentityFile <path to your key>
Hostname <real hostname>

Then you use either ssh server-root or ssh server-tunnel.

But I would say working with ssh-agent might be the easiest setup.

If you want auto-selection of the right key without ssh-agent, you could specify both keys via -i.

To quote from the OpenSSH man page:

 -i identity_file
     Selects a file from which the identity (private key) for public
     key authentication is read.  The default is ~/.ssh/identity for
     protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and
     ~/.ssh/id_rsa for protocol version 2.  Identity files may also be
     specified on a per-host basis in the configuration file.  It is
     possible to have multiple -i options (and multiple identities
     specified in configuration files).  ssh will also try to load
     certificate information from the filename obtained by appending
     -cert.pub to identity filenames.
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
sstn
  • 3,050
  • 19
  • 32
  • So there is no way for it to detect what user I am trying to login as? – Richard Hum Feb 15 '13 at 05:40
  • @alfonzo1955 What do you mean with 'detect'? The user has to be passed to the ssh server before any authentication will happen. Your question was how to separate the keys if I am not mistaken. – sstn Feb 15 '13 at 07:50
  • 3
    I don't want to use ssh-agent. So there is no way for it to automatically pick the correct key based on what user I am trying to login as? – Richard Hum Feb 15 '13 at 15:57
  • @alfonzo1955 See my edit, it seems you can specify -i multiple times. – sstn Feb 15 '13 at 16:29
  • Thanks for you help. I just put the root configuration block before the tunnel one so it defaults to using the root. I can also specifically specify the tunnel user and it will use that key. – Richard Hum Feb 15 '13 at 16:33